One of the biggest topics of the upcoming GDPR tend to be the new fines that the GDPR will bring.
Fines will go up in two tiers, the lower level will include fines of up to €10 million or 2% of the organisation's global turnover, and the upper level, with fines of up to €20 million or 4% of global turnover.
It is important to highlight that the GDPR defines the imposition of fines for each case as "effective, proportionate, and dissuasive". Although fines will be severe, it is not in the spirit of the regulation to cripple individuals (sole traders for instance) or organisations, and that the levels mentioned in the previous paragraph are caps rather than targets.
If a processor or controller breach more than one provision for the regulation intentionally or negligently, the total amount of the fines will never go above the highest cap of the regulation
The nature of the final imposition of fines for each case is complex, but compliance with the principles of GDPR should not be. The basis of the regulation to process data are to do so Lawfully, Transparently and Fairly, and by following the recommended 12 steps to take now issued by the ICO, or if you already comply with the Data Protection Act 1998, you should be in an excellent position to comply, and avoid these fines.
Deciding on a fine
There are many factors that will determine the level of the fines imposed on organisations. The tier system refers to different types of events detailed in Article 83 of the Regulation.
Article 83(2) lists the considerations the supervisory authority will take in order to determine whether to impose a fine and the amount for each individual case:
The nature, gravity and duration of the infringement, taking into consideration the purpose of the processing, as well as the number of data subjects affected and the level of damage suffered.
The intentional or negligent character of the infringement
Any action taken by the controller or processor to mitigate the damage suffered by the data subjects
The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them. (This refers to data protection by design, and security of processing)
Any relevant previous infringements by the controller or processor
The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of it
The categories of personal data affected by the infringement
The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
Where measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
Adherence to approved codes of conduct or approved certification mechanisms
Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
There are two tiers of fines defined in the GDPR. Article 83(4) defines the type of breaches that will be subject to the €10 million or 2% of the total annual worldwide turnover of the organisation on the previous financial year, whichever is is higher.
The processing of information related to a child must be lawful (see Children) (Article 8)
Processing does not require (or no longer requires) the identification of a data subject by a controller. The controller must be able to confirm that they are not in a position to identify the data subjects (Article 11)
The controller should implement appropriate technical and organisational measures before, and during processing of personal data, (see Data protection by design) (Article 25)
Breaches regarding compliance with Article 39, regarding Data Protection Officers
Breaches regarding certification of compliance (Articles 42 and 43)
Breaches regarding lack of compliance with issued Codes of Conduct issued by the Supervisory Authority
The second, higher tier of fines are defined in GDPR under Article 83(5), and involve breaches that will be subject of €20 million or 4% of the total annual worldwide turnover of the organisation on the previous financial year, whichever is is higher.
Principles related to processing of personal data (Article 5)
Lawfulness of processing (Article 6)
Conditions of Consent (Article 7)
Processing of special categories of personal data (Article 9)
Breach of data subjects' rights (Articles 12 to 22)
Transfer of personal data to a recipient in a third country (Articles 44 to 49, where there are many definitions regarding the third countries such as human rights, fundamental freedoms, legislation related to public authorities' access to personal data, etc)
Obligations of a member state law adopted under Chapter IX of the GDPR
Freedom of expression and information
Public access to official documents
Processing of National identification number
Processing in the context of employment
Safeguards relating to processing for archiving purposes in the public interest, scientific, or historical research or statistical purposes
Obligations of secrecy
Existing data protection rules of churches and religious associations
Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority (Article 58(2) ) or failure to provide access in violation of Article 58(1).
GDPR comes into force on 25th May 2018